Looking for the best ultimate Joomla security guide? This JovialGuide is an ultimate Joomla security guide that would show you how you can secure your Joomla website from hackers.
If your Joomla website has ever been hacked, you’ll surely take Joomla security very serious (because of the pain you went through during the time your website got hacked).
Securing your Joomla website against hackers and vulnerabilities would require you to invest a lot of money and more time just to have your Joomla website secure. Investing money to keep your Joomla website secure could be; running your website on Joomla managed hosting plan, which is more expensive and secure than other regular Joomla hosting plans.
It could also be; paying a cyber security expert to secure your Joomla website for you. This would really cost you a lot of money. There are other things you can do in-order to secure your Joomla website. These things would cost you money. You’ll have to spend if you really want to secure your Joomla website!
Website security is the topic no one jokes about. Being hacked costs a lot!
A good number of hackers hack for money while some hack just to steal from your website. If you have ever been hacked, you’d understand the pains of being hacked!
With this ultimate Joomla security guide, you’ll be able to properly secure your Joomla website in 2019.
There’s something we’d like you to note; Joomla security is beyond installing Joomla and installing the best Joomla security extensions to help you do the job, you have your role to play!
Joomla security is beyond using the best Joomla security extensions, but it’s about giving your website the best Joomla security practices (which we will show you in this post)!
Some of the things you should have in mind about securing your Joomla website (Joomla security) are;
- Picking a secure Joomla hosting company
- Using strong password
- Not giving out your admin login details
The above are some of the things you should do to secure your Joomla website.
Earlier in this Joomla security guide, we showed you that Joomla security is not all about using the best Joomla security extensions, implementing the best Joomla security practices!
This JovialGuide is an ultimate Joomla security guide that would show you how to secure your Joomla website.
Never forget that no website is 100% secure (without vulnerabilities/security issues). It is either the vulnerability hasn’t been discovered yet, the vulnerability has been discovered but no one has any idea of how it could be exploited, or, hackers just choose to not exploit the vulnerabilities!
Table of Contents
Is Joomla Secure?
If there’s any Joomla security question that comes to your mind, it is is Joomla secure?!
Joomla is secure and there’s no doubt about that, not ’cause of the availability of its security extensions, but because of the foundation behind it (Model View Control – MVC). It’s a secure Content Management System (CMS), this doesn’t mean that it has no security flaws, it has!
The most important thing you should do is to give it the best Joomla security practices.
Joomla Security Issues
Every website has it own security issues, whether it’s a CMS like WordPress, Magento, Drupal, or any kind of website, they all have their own security issues and not Joomla alone!
It is very true that Joomla is a secure Content Management System, but it has vulnerabilities like every other Content Management System.
Some Joomla security issues are;
- SQL injection
- RFI (Remote File Inclusion)
- Bruteforce attacks
The above are a few examples of Joomla security issues.
What Would Happen If my Joomla Website gets Hacked?
You don’t have to be told what would happen if your Joomla website gets hacked! You should know that it may;
- Get defaced
- Get destroyed
- You may loose your website
We always recommend you secure your Joomla website by giving it the best security practices to avoid stories that touches the heart!
Like when someone breaks into a house to steal. They break-in to steal and also to destroy, so, you don’t have to wonder what would happen if your Joomla website gets hacked!
Ultimate Joomla Security Guide – How to Secure your Joomla Website (2019)
Earlier in this Joomla security guide, we showed you some Joomla security issues, what would happen if your Joomla website gets hacked, etc., all of them are related to Joomla security and should be taken serious.
The following sub-sections of this ultimate Joomla security guide will show you how to secure your Joomla website (best security practices – 2019).
Step #1. Choose the Right/Best Joomla Hosting Company (2019)
Joomla hosting on the other hand, contributes to the security of your website. A poor/improperly configured webserver gives room for your Joomla website to get hacked easily. Choosing the right Joomla hosting company is the right step you should take to secure your Joomla website.
A secure Joomla hosting provider is the most important thing you should consider when choosing Joomla hosting for your website. Running your Joomla website on an improperly configured webserver would expose your website to vulnerabilities, making them absolutely easy for hackers to get into your Joomla website.
Joomla hosting plans come in different sizes, these sizes do determine the cost. The highest Joomla hosting plan is not the same as the cheapest Joomla hosting plan when it comes to space, security, etc.
Shared Joomla hosting plans aren’t as secure as you think! When you host your Joomla website on a shared hosting server, it is hosted on an open or shared server/environment (where every other website is hosted). Meaning that; when any website on the same shared hosting server (as your website) is attacked, it may affect your Joomla website and may make your website become at risk and you may be attacked also!
On like managed Joomla hosting, your Joomla website is hosted on a properly configured webserver which carries additional security. On a managed hosting environment, your Joomla website is hosted alone, you don’t share web hosting resources with any website!
There’s something that is great about shared Joomla hosting plans, the price! The cost of hosting a Joomla website on a shared server is pretty cheap! Shared Joomla hosting is the cheapest for any body and it’s recommended/suitable for small websites (with low traffic). One bad thing about shared Joomla hosting server is that; it’s not all that secure.
A managed Joomla hosting server is absolutely secure, and it can accomodate any number of traffic (depending on the managed hosting plan). It’s recommended or suitable for large websites (with large amount of traffic). The bad side of managed Joomla hosting is that; it’s pretty expensive!
Shared Joomla hosting plans are cheap and less secure while managed Joomla hosting plans are absolutely secure, but pretty expensive.
The reason managed Joomla hosting is more secure than shared Joomla hosting is that; on shared Joomla hosting environment, your website is hosted along-side with other websites (still on that same webserver). You share web hosting resources/space with other website hosted on that same server. When any website is attacked, your website will become at risk because you are on the same webserver with the website that is being attacked.
Meanwhile, on a managed Joomla hosting server, your website is hosted on a special webserver and you don’t share any web hosting space/resources with any website. Any website that gets attacked will not put your own website at risk, because you are the only one (your website alone) on that webserver.
Some Joomla hosting providers host websites on their improperly configured webserver. This will make your Joomla website easy to hack.
For shared Joomla hosting, you can get cheap Joomla hosting services from:
For managed Joomla hosting, we recommend:
For the complete list, see the best managed Joomla hosting companies.
There are hundreds of companies offering Joomla hosting services, it may be difficult to choose one to host your Joomla website. We wrote a JovialGuide that would help you pick the best Joomla hosting company. See the best Joomla hosting companies for detailed instructions.
Step #2. Secure Your Joomla Website During Installation
After picking the best Joomla hosting for your website, you’ll have to install Joomla. Before that, you have to secure your Joomla website during installation!
Securing your Joomla website during installation happens to be what you should take very serious. You may not know how vulnerable your Joomla website is because of poor configuration during the installation of Joomla.
During the installation processes, you are always asked to choose a super user password, username, Email address, database username, database password, etc. At this time, you’d want to choose very simple login details that would be easy for you to remember. These simple login details you choose, exposes your Joomla website to web application attacks. For example; brute force attack.
These simple and easy to remember login details you picked during the installation of Joomla could be changed by you at anytime. They are pretty easy for you to remember but absolutely easy to guess by hackers!
Step #2.1. How to Secure Your Joomla Website During Installation
Securing your Joomla website during installation is pretty simple!
We wrote a JovialGuide that explains everything about securing your Joomla website during installation.
Step #3. Keep Joomla up to Date (Extensions and Templates)
You already know that anything that is outdated is no more in use. Any software that has an updated version means that there were bugs found in the previous version, and the bugs that were discovered has been patched, and a new version of the software is out!
You don’t have to be told to update your Joomla website, it’s something you should quickly do whenever a new version is out. If new versions of Joomla software, Joomla extension and templates are released, it means that there are improvements and bugs were found in the previous version.
Your Joomla extensions, templates and Joomla software itself, should be up-to the latest version. It would make your Joomla website have an excellent performance.
Many of the problems you encounter aren’t from your Joomla hosting provider, a good number of them are from you. This is because you think that finding time to update your Joomla core files (template, extensions and Joomla software itself) to the latest version would take much of your time, and after all, it isn’t necessary! That’s not true! They are absolutely necessary in-order to secure your Joomla website! Except you are thinking of leaving your Joomla website open to vulnerabilities.
A new version of any Joomla core file have security patches and can’t be easily hacked, because bugs are yet to be found.
Don’t forget that nothing’s absolutely (100%) secure!
Running the latest version of all Joomla core files would make your website less vulnerable to attacks.
Step #4. Backup Your Joomla Website Regularly Using Joomla Backup Extensions
After updating Joomla, the next thing that follows is to backup your Joomla website.
What happens when you loose your website to hackers?! How do you restore it?! There’s absolutely no way you can get your Joomla website back without the help of your website backup. Backup helps you restore your website if it gets hacked or you loose your website to any reason.
We always advice you backup your Joomla website regularly to avoid stories that touches!
What else do hackers do to one’s website when they get access to it, if not to steal, destroy, etc?! You can easily restore your Joomla website if you made a backup of it.
Website backups are done in case anything happens to your website. Backups are not done with any certain thought that something is surely going to happen. But, it’s done in preparation (in case anything happens) for anything that may happen.
What happens if you didn’t make any backup of your Joomla website? Forget it, your Joomla website is gone!
Do well to always backup your Joomla website regularly in case anything happens to it.
The best Joomla backup extensions are also available, both free and paid versions. These Joomla backup extensions enable you make backups of your Joomla website in case anything happens. Anything could happen, like; your Joomla website getting hacked, poor Joomla hosting services, etc.
The backup of a website is used to restore a website when anything happens to the website on a live webserver.
There are many Joomla backup extensions, they are available in both free and paid versions. Both lets you backup your Joomla website.
Some free Joomla backup extensions are;
- Akeeba Backup
- Easy Joomla Backup – EJB
For the complete list, see the best free Joomla backup extensions.
Step #5. Use Joomla Security Extensions to Harden your Website
There are dozens of security extensions created specially for Joomla. These Joomla security extensions help you secure, provides report on the most recent attacks, etc., in your Joomla website. Joomla security extensions don’t just provide reports on the most recent, blocked or failed attempts, but they also help you secure your Joomla website!
Here are some Joomla security extensions you should use:
Step #6. Make Use of Strong Admin Password
Your Joomla website becomes pretty easy to hack if you use weak password for your admin account. Most of the successful hacking attempts in Joomla, are as a result of the use of weak admin password.
Many people use their names, date of birth, pet name, etc., as their admin password. This is not in anyway recommended. It is useful because it’s easy to remember but it’s harmful. It allows your Joomla website to be hacked easily (using trial and error method, brute force method, guessing method, etc).
To harden/secure your Joomla website, we highly recommend you use strong password for your admin account.
Step #7. Restrict/Limit Access by IP to the Admin Directory of your Joomla Website Using .htaccess
Limiting access to the sensitive admin directory of your Joomla website is one of the steps you should quickly take to secure your Joomla website against hackers.
We call it the sensitive administrative directory of your Joomla website because anyone that gets access into it, is actually in the right position to destroy your Joomla website in just a second! Since it’s a very sensitive directory in your Joomla website, it has to be secured against hackers!
Isn’t it annoying when someone you don’t permit accesses your privacy? Yes, it is!
The .htaccess file is a very powerful configuration file that is found on webservers. It is a powerful configuration file that it can be used to secure your Joomla website, make URLS search engine friendly, etc.
Any improper configuration in the .htaccess file will crash your Joomla website.
Restricting access works with the help of an IP address (Internet Protocol address) that is written together with a code snippet which is added to a configuration .htaccess file of your Joomla website. Any IP address that isn’t in the code snippet added to the .htaccess file, won’t be allowed into the administrative directory of your Joomla website. This looks like a magic but it isn’t!
The administrative directory of your Joomla website is the administrator directory. You see that the backend of your Joomla website is right in there. You may also notice that each time you try to access the administrator (login page), you are always asked to provide the correct username and password before being able to access the backend (its contents) of your Joomla website. This is because it is the administrative section of your Joomla website, anyone that gets in there can destroy your website.
The contents of the backend of your Joomla website are stored right inside the administrator folder/directory.
You may be surprised to know that the administrator is a directory/folder, yes, it is!
Did you know that restricting access to the administrative directory of Joomla (by IP) hardens your Joomla website, making it pretty hard for hackers to get into it?! It denies access to the administrator directory (by IP address). Any IP address that is not whitelisted (on the .htaccess file) would be denied access. This is very simple!
Step #7.1. How to Limit Access by IP to the Administrative Directory of Joomla Using .htaccess
Blocking/restricting access to the administrative directory of your Joomla website won’t only secure your Joomla website but scare hackers from your Joomla website!
If you’d like to restrict access by IP to the administrative directory of your Joomla website, then do the right thing by blocking unauthorized access!
One of our Joomla tutorials teaches you how to restrict access by IP to the administrative directory of Joomla using .htaccess
Step #8. Restrict Certain Files During Upload
This should be considered serious if you allow attachment/file upload in the comments section, or you run a forum in Joomla that allow files/attachments upload. This should be watched closely!
These files, when uploaded into the webserver, gives the attacker the privilege to gain full access into your Joomla website. This could result in; deletion and defacement of the most important files of your Joomla website (for example the index.php file).
Some of these scripts may render your website weak, such that it can’t withstand further hacking attempts. While some of these scripts give the attacker the privilege to remotely control and gain full access into your website. While some simply reset/change your admin password.
This script we have been talking about is called a shell.
We recommend that you make use of the .htaccess file available in the File Manager of your Joomla hosting account to limit file upload by size and type.
Step #9. Avoid Nulled Joomla Templates and Extensions (Paid Extensions or Templates Offered for Free)
This is one of the most common method attackers use in gaining access to your website unexpectedly. They Inject malicious code into the premium template or extension you are receiving from them for free. When installed and activated, they automatically have remote access over your Joomla website.
The next thing that comes into your mind is your Joomla hosting provider. You’d say; “they have started again, they aren’t trusted and their webserver isn’t secure enough to protect websites from minor hacking attempts“. Finally, you’d say; “hey, I’m leaving, your hosting company isn’t secure!“, when you actually are the one that caused it!
Premium Joomla templates and extensions offered for free aren’t always offered just for free, they use it in taking control of your Joomla website, while others use it in destroying or defacing your website.
Why would someone purchase an extension or a template then offer it for free without anything in exchange?! Something must be behind it!
You don’t have to be told to stop using premium Joomla templates and extensions that are offered for free. They are pretty risky!
Step #10. Stay Away From Poorly Coded Joomla Templates and Extensions
Running your website with improperly coded Joomla templates or extensions may end up leaving your website for hackers to take-over. The goal is to secure your Joomla website and not to make it vulnerable to attacks.
Poorly written Joomla templates and extensions can cause different (serious) harm to your Joomla website. Some of them can;
- Deface your website
- Overwrite the sensitive files that make up your Joomla website
Whether it is a template or an extension that is improperly coded, it isn’t recommended! They can cause serious harm to your website or it can leave your Joomla website open to different web application vulnerabilities/attacks. So, stay away from them!
Conclusion on – the Ultimate Joomla Security Guide – Step by Step (2019)
This ultimate Joomla security guide has shown you the things you need to do to properly secure your Joomla website against hackers.
We made this ultimate Joomla security guide to put you through the steps to properly secure your Joomla website.
There are other Joomla tutorials we covered in the Joomla section of this website (JovialGuide), see our Joomla tutorials.